Statement of RADM Mayo
--------------------------------------------------------------------------------
STATEMENT OF REAR ADMIRAL RICHARD MAYO
DIRECTOR, SPACE, INFORMATION WARFARE,
COMMAND AND CONTROL
CHIEF OF NAVAL OPERATIONS
Good afternoon, Mr. Chairman, Members of the
Committee, and staff. I am Rear Admiral Dick Mayo, currently serving on
the Navy staff as Director of Space, Information Warfare, and Command
and Control.
I am pleased to be here to discuss what I believe are
two of the most important areas we are facing today in the
Navy—Information Superiority and Information Assurance. The United
States Navy is in the midst of a transformation that capitalizes on the
awesome potential of advanced information technology, and the topics of
this hearing go to the heart of all our basic Information Age
challenges. In a strategic sense, this now includes the dimension of
cyberspace. We must use cyberspace well to influence events, and we
must protect our access to cyberspace. Operationally, using networks to
host this new medium provides a significantly increased advantage to our
warfighters. We have made tremendous strides in the last several years
realizing this potential, and it is more important than ever that we
maintain this momentum.
I would first like to offer our current perspective on
Information Superiority, then discuss Information Assurance, and finish
with our "entry fees" to both of these.
Network Centric Operations
Since the release of Joint Vision 2010 first focused
awareness on the subject, many new insights have been gained. Navy is
fully engaged in the pursuit of Network Centric Operations as our
capstone concept for bringing networked organizations and technologies
to bear in the battlespace. It leverages the distributed networking of
our people, information, weapons, and sensors to achieve faster and
significantly improved effects with smarter, more adaptive performance.
As we have started fielding our networks, and experimented and operated
with them in the real world, we have brought additional insights into
our new concept for Knowledge Superiority, building upon our original
appreciation of Information Superiority.
Knowledge Superiority
Knowledge Superiority provides a strong perspective on the value
of organizational and human dynamics, and how these networked
organizations behave to yield truly powerful benefits. Knowledge
Superiority focuses on people; what they know; how they bring that
knowledge together; and, how they put that knowledge into action to gain
the advantage and take the initiative. This power comes primarily from
three main network features: first, the nearly universal access to
information; second, the use of rich collaboration venues among
interested and knowledgeable parties; and, third, smartly applied
decentralized authority to act quickly and knowledgeably at the local
“points of tactical contact.” These “points of tactical contact” are
where we most want adaptability, speed, precision, and agility. By
giving our Sailors the ability to access the nets, collaborate, and
innovate—and the trust to act professionally and appropriately to
achieve our goals—we ensure Navy's operational success.
Investment and Policy Choices Determine the Degree of Operational
Adaptability
I want to emphasize this point about empowered capability first
because it is absolutely vital to recognize that the choices we make
about the connectivity and applications available to our people will
determine our approach to warfighting. Where we place our network
connections, what connectivity is available, what network applications
are provided, and how reliable they are, will determine how our Sailors
will be able to achieve their goals. We should be careful not to lock
out options, especially when our greatest advantage is the battlefield
innovation repeatedly demonstrated by our own people who constantly
impress us with new combinations of actionable knowledge, followed by
the unique and powerful application of capabilities that we did not
previously imagine.
Our momentum must be maintained in delivering tools to our Fleet
for a highly distributed, generally decentralized, fully empowering
capability to realize our innovative Information Age potential. This
mentality must form our choices concerning connectivity, applications,
and network control and management. We must enable our Sailors to the
fullest extent possible so as to allow them to control their combat
destiny. Indeed, we should always err on the side of empowerment
because I am eager to let the Sailors themselves tell us what we need to
win our future wars.
Operational Payoffs
Here is what they are telling us. During Operation ALLIED FORCE
in Serbia and Kosovo, the SIPRNET (Secure Internet Protocol Router
Network) literally replaced regular naval messages as the primary means
for communication and coordination among our staffs and ships. The
medium is so much faster and more personal that it has become absolutely
indispensable in the conduct of today's operations. Key planning events
were conducted via e-mail and video-teleconferences. Commanding
Officers had on-going dialog with their Task Force Commanders. Navy air
strike planners afloat collaborated with joint intelligence cells around
Europe and with strike planners at the air operation centers ashore, and
with Tomahawk missile planners on other ships hundreds of miles apart.
Pilots were on the net conducting live debriefs with intelligence
collection managers. New combinations of intelligence analysis, coupled
with the commander’s wisdom and experience and the intimate reality of
the on-scene tactician, created new and relevant successes in this joint
campaign.
In the heat of war, we were able to capture one such amazing
event. On one occasion, a USAF aircraft over Serbia recognized a group
of enemy mobile targets. This information was fed to the network,
resulting in a significantly reduced response time and allowing a Navy
Tomahawk missile to be used against these targets. Through the use of
our networking, we were able to take a process that previously consumed
days, and turn it into a truly tactically significant capability. We
want to spread that capability throughout our forces. Our Information
Technology for the 21st Century, or IT-21 capable Battle Groups continue
to report operationally significant benefits like this. During
Operation DESERT FOX strikes against Iraq, we conducted dual Carrier
Battle Group strike coordination with the joint air commander almost
exclusively over the SIPRNET. Recently, during a crisis over the
incursion of North Korean fishing vessels into South Korean waters,
SEVENTH Fleet sent IT-21 capable ships to monitor and respond, enabling
these ships to share their situational awareness with the joint forces
commander ashore. A true transformation is taking place, with
organizational and operational overtones that are now just being
recognized and understood.
Some additional examples come to us from our Fleet Battle
Experiments. My Directorate sponsors the Navy Warfare Development
Command (NWDC) in Newport, Rhode Island. NWDC coordinates live
experimentation in our Fleets. In Fleet Battle Experiment (FBE) Delta
conducted by SEVENTH Fleet, our networking technology enabled the
planning and execution of an entirely new tactic—the coordinated
employment of shore-based Army Apache helicopters against enemy maritime
special operations forces (SOF). This previously untested and untried
force combination was able to achieve a ten-fold increase in counter-SOF
attacks. In FBE Echo conducted by THIRD Fleet in March 1999, our
networks enabled new combinations of surveillance and strike platforms
working against mobile targets ashore. Also in FBE Echo, our area
anti-submarine forces successfully employed a SIPRNET site to maintain a
common undersea picture and conduct collaborative planning via web-based
chat. This web-based function has transitioned to successful real world
operations in the Pacific theater. In FBE Foxtrot conducted by FIFTH
Fleet in December 1999, our networks were used to accelerate all phases
and dimensions of operations—air defense suppression, sea control,
interdiction, and strike operations. This is known as rapidly decisive
“parallel” or “simultaneous” operations. Our networks allow us to
achieve new levels of performance.
Information Security and Information Assurance
I would now like to address Information Assurance
(IA). Our approach to Information Assurance is known as
“defense-in-depth.” We have adopted a layered, end-to-end approach to
network defense. As I describe the measures, please keep in mind that
these apply directly to our currently on-going IT-21 and projected
Navy-Marine Corps Intranet (NMCI) efforts. With defense-in-depth,
security protection mechanisms are employed in multiple locations in the
network architecture. For example, depth could mean layering link
encryption over network protocol encryption, and further layering it
over e-mail (application layer) encryption. Another example would be to
use two different anti-viral packages, one at the firewall/mail server
and another at the end-user workstation. In addition to technical
protection devices like these, our defense-in-depth takes into account
trained personnel and an improved IA organizational infrastructure as
well.
Firewalls, intrusion detection devices, and software tools are
installed as technical defense measures throughout every network
echelon. This means that at each and every layer of our network--from
the individual desktop, to the LAN (Local Area Network) in each ship or
building, to the next layer network throughout a set of buildings (such
as a headquarters facility or a base), to the metropolitan area
networks, and to the regional Network Operations Centers--these tools
are in use simultaneously.
We have designated our Space and Naval Warfare Systems Command's
(SPAWAR) IA program manager as the IA Technical Authority and
Certification Authority on all technical security matters. This central
authority provides network-wide high standards for quality control and
compliance. Navy's central Technical Authority maintains a web site as
a central up-to-date resource that includes an IA software toolkit (such
as virus scanners and a secure copying program), IA policy and guidance,
and certification templates. The Technical Authority also develops our
IA technical publications which contain detailed incident reporting
guidance, defensive system configuration guidance, and IA technical
procedures in general. Most important, the Technical Authority works
with acquisition program managers throughout the Department of the Navy
to ensure that technical requirements are being met in all programs.
A significant part of our Information Systems Technician (IT)
personnel and training efforts cover our needs for IA. All IT-rated
personnel will be exposed to varying degrees of IA training over the
course of their careers. Beyond initial system administration training,
mid-career personnel working at Network Operations Centers are being
trained as Network Security Vulnerability Technicians. This is an
8-week course directed at securing information systems. Since
introducing the course in 1997, we have doubled our throughput to 120
per year. Qualified IT personnel at the E-6 and O-4 levels are being
trained as Information Systems Security Managers through a new course
that will train 164 personnel this year. They will function as an
activity's accreditation action officer, institute security policy,
implement security risk management programs, and develop information
systems security and contingency plans. This training is being made
available both at Pensacola and by six Mobile Training Teams.
Our organizational infrastructure has been adapted to deal with
increased security threats. We achieved full operational capability of
the Navy Component Task Force for Computer Network Defense (NCTF-CND) on
31 July 1999. NCTF-CND conducts continuous IA vulnerability
assessments, implements Information Security Conditions (INFOCONs), and
works directly with the Joint Task Force for Computer Network Defense
(JTF-CND). In 1999, the NCTF-CND issued eleven IA Vulnerability Alerts
and three IA Vulnerability Bulletins to mitigate computer network
vulnerabilities. NCTF-CND also conducted a Navy-wide INFOCON exercise
in late 1999, the results of which contributed greatly to our
understanding of the operational impact of INFOCONs and the need for
detailed response procedures.
Our Fleet Information Warfare Center (FIWC) conducts intrusion
detection, incident reporting, and operates the Naval Computer Incident
Response Team (NAVCIRT). FIWC additionally works with the numbered
Fleet Commanders and Battle Group Commanders to conduct aggressive "red
team" efforts during Joint Task Force Exercises. In this way, we can
detect IA problems, conduct on-the-job system administrator training
under IA stress conditions, and heighten IA awareness as part of
deployment preparations.
Together with my staff, each of these arms of our IA effort
overlap to focus on supporting all Navy System Administrators, our
“points of tactical contact” for IA. They are notified of potential
security activity or concerns by the NCTF-CND and have FIWC-developed
response capabilities at their disposal. Every System Administrator
also has access to the expertise and security products resident at the
Navy's central Technical Authority at SPAWAR. They administer networked
systems simultaneously at all levels, providing depth to the defense.
They are truly our first and best line of defense, and are often the
initial reporting source on probes and incidents occurring in our
networks.
Our organizational alignment will soon include the closer
integration of Navy and Marine Corps Headquarter's C4I staffs, with
single leadership for our IA programs and policies. New IA leverage has
also grown from our intense Y2K effort, including much greater insight
into our total IT inventories which will be used for improved security
through configuration control and improved enterprise-wide IA
vulnerability assessments.
Other specific IA accomplishments this past year include:
a.. An IA R&D plan focused on technologies which comprise our
networks.
b.. Every Navy web-page is monitored for OPSEC and content on
an on-going basis by a dedicated risk analysis team manned by four Naval
Reserve Security Group commands.
c.. Public Key Infrastructure (PKI) DoD-level coordination,
implementation planning, and pilot projects focused on device
authentication for stronger access control across trusted boundaries.
d.. Designation as the DoD lead service for implementation of
the Common Access Card (CAC, or "Smart Card") for introduction of PKI.
Additionally, we recognize the importance of the security of
information generated by Global Positioning System (GPS) for our
platform navigation, locating and weapon targeting. As the Navy’s agent
for GPS, we are actively engaged in the joint Navigation Warfare
(NAVWAR) effort.
We are ready to move forward on some IA programs that are
currently under- funded in FY01. These are: COMSEC (high security
cryptographic devices); Secure Voice; PKI; and KIV-7.
Entry Fees to Information Age Power
Achieving our Information Age potential comes with a few “entry
fees”—in other words, you can not achieve the operational outcomes
without certain key investments up front. In addition to network
security and IA, these fees are: a complete network infrastructure; new
operating processes and structures; and, people ready for and trained in
Information Age operations.
Network Infrastructure
IT-21
Making the SIPRNET examples I just cited available to every naval
force afloat means completing the fielding of our IT-21 networks. Our
IT-21 initiative has thus far equipped our four Command Ships, five
Carrier Battle Groups, and five Amphibious Ready Groups. We are
approximately two and one-half years into a six-year initial fielding
plan to fully outfit our afloat forces. In addition to our groups, some
form of IT-21 is scheduled to be installed in every naval combatant.
Slight variations of several related programs are planned, trying to
balance our desire for high bandwidth connectivity and comparable ship
capability with affordability. IT-21 always comes with satellite access
to the classified SIPRNET and the unclassified companion NIPRNET
(Non-classified Internet Protocol Router Network). On command ships, it
also comes with video-teleconferencing capability. In all cases, IT-21
comes with a set of operational tools known as GCCS-M or Global Command
and Control System-Maritime. The GCCS puts a shared, joint, common
operational picture at every desktop and watch station. Additional new
applications are being developed by the operational commanders, and
because these are software-based and can reside in almost any
Internet-Protocol server, the IT-21 infrastructure supports an
incredible amount of adaptability to the various Fleet and Joint
Commanders’ needs. Furthermore, our IT-21 network has allowed us to
establish a tight information security enclave for our ships by bringing
with it all those IA benefits I mentioned earlier. These aspects have
already proven their worth in actual operations.
From where we started a few years ago with reasonable hopes that
IT-21 would bring us new power, we are now at a time when our
operational commanders are counting the ships that do not have IT-21.
The following example is illustrative: USS Mobile Bay was designated by
the SEVENTH Fleet Commander to be the ship on-scene for the recent East
Timor crisis specifically because she is IT-21 equipped. As the time
approaches to replace Mobile Bay on station, the Operational Commander
will want an equally capable ship to similarly share situational
awareness or conduct rapid coordination. As you can see, Operational
Commanders are now managing ships’ employment schedules based on their
IT-21 capability. We need to keep pressing to simplify these difficult
and vital decisions.
Navy-Marine Corps Intranet
To bring those same benefits ashore that we have seen afloat in
our IT-21 operational experience, we have set course on our Navy-Marine
Corps Intranet (NMCI) initiative. For long haul communications, the
NMCI will ride the Defense Information Systems Network (DISN). For
other intranet services, it is Navy’s judgment that industry will
provide a highly competitive solution. In December 1999, Navy issued a
Request for Proposal (RFP) to industry for contracts to field our
Intranet. The Assistant Secretary of Defense for C3I has agreed to the
Department of the Navy’s pursuit of the NMCI with the network utilities
industry, subject to the finding of Navy’s business case analysis. We
are currently conducting this analysis.
There are some very key facets of an intranet that make it very
compelling for us. First, an intranet can provide full collaboration
across every afloat and ashore element of our Department. There will be
no "haves versus have-nots" in the NMCI. Every naval element will be a
full participant. Unlike today, every command and every Sailor will
have the appropriate level of access to fully exploit network
applications and services, and in turn, will be able to contribute
fully. Second, we will increase network interoperability through the
common standards that only a single enterprise intranet can provide.
Like successful business enterprises, the NMCI will provide full access
across the enterprise to common databases and information repositories,
as well as a great cross-functional reach across previously stove-piped
boundaries. Our currently uncoordinated and inconsistently developed
and operated networks do not permit this degree of synergy. The NMCI
will better enable us to support sweeping applications like enterprise
resource planning, or “ERP.” Several pilot projects for ERP have been
chartered by the Navy Department’s Revolution in Business Affairs
Executive Committee (RBA ExComm). Much like a business enterprise, ERP
will enable us to increase efficiencies in distributed design,
development, acquisition, purchasing, distribution of supplies,
maintenance chains, and other business-like activities by making the
process fully interconnected and transparent, therefore becoming better
suited to Fleet support.
Finally and most importantly, intranets bring with them security
measures that are otherwise unachievable in uncoordinated and uncertain
network conglomerations. Improved security is probably the greatest
value-added of our NMCI. We want to take the improved security posture
achieved with our IT-21 capability and expand that secure enclave
ashore. The NMCI architecture framework defines four defensive
"boundaries" in conjunction with our overall IT defense-in-depth
strategy, ranging from the external network boundary to the application
layer. These boundaries will be used to define specific, layered
security measures. Our NMCI guidance also delineates security
requirements for technical and quality of service standards. The
requirements encompass content monitoring, content filtering, virtual
private network (VPN) and encryption standards, standards for
PKI-enabled applications, and web security. Further, the NMCI sets the
qualification standards required for contract systems administrators and
network managers. "Red Teams" are also established under the NMCI to
determine the effectiveness of contract fulfillment toward security
requirements and to perform ongoing network vulnerability and risk
assessment. A "Blue Team" will verify security configuration management
and approve all security architecture choices and security procedures.
The NMCI vendor will be responsible for providing raw data that will be
analyzed by Navy to determine whether an incident has occurred as well
as the magnitude of any incident. None of these security measures can
be guaranteed without an intranet of common standards and required
quality of service.
Since the beginning of this year, Navy has recognized nineteen
computer network incidents on unclassified systems. Our experience with
these and past intrusion attempts validates the importance of
maintaining a technically-astute, responsive IA organization on an
enterprise level. Although we train our System Administrators to run
their systems as securely as possible, and we keep them up-to-date with
IAVAs, NAVCIRT advisories, and other timely technical information, there
is always the element of variation in local procedures, complex software
version upgrades, and network reconfigurations. With NMCI, centralized
system administration will give us the ability to dynamically and
remotely implement (i.e., "push") "best practices", countermeasures, and
secure network configurations to permit a near-real time,
technologically uniform implementation of IAVAs and technical advisories
Navy-wide. For example, while local commands would continue to author
the content of organizational web pages, the web pages themselves would
reside on uniformly and centrally configured NMCI servers--configured in
accordance with DoD/DoN best practices. Vulnerability to web page
"hacks" will be uniformly mitigated across the enterprise.
NMCI will also accelerate the desired proliferation of Class 3
PKI-enabled web pages and authentication measures for appropriately
authorized access to, and modification of, Navy web sites. The uniform
implementation of PKI/certificate authorities and anti-virus signatures
across the NMCI enterprise will considerably reduce risks of external
intruder root access gained by the "sniffing" of passwords, and from
unsolicited e-mail with malicious attachments or "Trojan horses", such
as last year's "Melissa" episode.
Organizational Processes and Structures
Because there is so much appropriate attention to
fielding the physical network infrastructure, it is sometimes easy to
overlook the organizational dimensions. In all of my statement thus
far, however, there are glimmers of the tremendous need to focus on
these organizational dimensions. I have already highlighted the need
for adequately empowering Sailors with the ability to collaborate in new
ways. The obvious move of the Systems Administrators to the center of
our security efforts indicates important organizational adaptation.
Enterprise Resource Planning clearly leverages the network's reach
across former organizational boundaries. These are just a few examples
of the ongoing shifts in organizational processes and structures that
are absolutely necessary to attain the full power of the networks.
Others must follow.
We are constantly addressing our work processes. We know from
industry that organizational structures and processes are changing
extensively in the Information Age. A common theme in the business
arena is to “disaggregate your current ways of business and re-aggregate
them on the net.” This is indeed what Network Centric Operations is all
about. A very important effort to examine and adjust our business and
operating processes is taking place at THIRD Fleet where the JOHN C.
STENNIS Battle Group has just been outfitted with IT-21. THIRD Fleet’s
Network Centric Innovation Center (NCIC) has been targeting the
improvement of Battle Group processes based on the IT-21 network. This
low cost, high leverage activity is indeed a critical entry fee to
achieving full operational potential of our networks.
A byproduct of our success in process-redesign efforts
like the NCIC, as with our experience with IT-21, is our recognition of
an increasing need for more Information Management (IM), Knowledge
Management (KM), Bandwidth Management, and improved Network Management
procedures overall. Navy recently introduced our FY 2000-2001 IM/IT
Strategic Plan. Our Intranet Knowledge Management Working Group
(IKMWG), which was chartered last year by the RBA ExComm and is under
the leadership of the Department of the Navy Chief Information Officer
(DoN CIO), is pursuing many of the plan's objectives. The IKMWG has
begun to catalog and leverage the many lessons learned from several
existing Navy KM initiatives. We are also leading the charge on a DoN
enterprise “knowledge portal," a tailored web site that acts as the
front end for a tremendous amount of Navy documented knowledge and data
repositories. The knowledge portal will be akin to having a Navy-wide
librarian on your desktop. Finally, we are conducting a pilot project
on standardizing databases. This effort will teach us how and where
data and information is best organized on our networks to permit
plug-and-play functionality.
People
Today, tomorrow, and in the future, our people are always our most
vital resource. They are truly the most adaptive element in our
warfighting organization. I have already highlighted the need to
empower them with our distributive network infrastructure and policies,
and how we have enhanced their capabilities through our security-related
specialist training. I would like to mention some specific initiatives
we have directed at personnel structure, skills and training.
We have commenced fashioning an end-to-end approach to enlisted
personnel in the Communications, Information Systems, and Networks—or
“CISN”—field. The Navy has re-designated the Radioman (RM) rating to
the Information Systems Technician (IT) rating. Along with this change
in focus, come the following high impact actions:
· Increased Selective Re-enlistment Bonus (SRB) across all
promotion zones
· Advancement opportunity well above Navy-wide averages for
all pay grades
· The IT rating is open to all non-rated, first enlistment
Sailors (“GenDets”)
· Rate conversion for E-5 and below into IT has been opened
up significantly
· Aptitude requirements for entry into the rating have been
increased
We have also tripled the training availability for network system
administrators over the last four years to 188 seats/quarter. With the
rapid infusion of our networks, this is a critical support item. We
have identified an upward trend in retention of our IT-rated
professionals when they have received formal training as systems
technicians or administrators in their first enlistment.
Transformation
An additional challenge is that something fundamental
is happening that can truly be considered transformational. We
concentrate a great deal on the infrastructure, but as I have said, our
people and their new collaborative behavior in these networks are
extraordinary. The shapes and processes of all of our organizations are
in transition. The “network effect,” where organizations are now
working in a “many-to-many” system, creates relationships that cut
across former boundaries in all directions. Sometimes these
relationships are highly transient and focused on a single unique task,
and sometimes they become established to accomplish many tasks over
time. They draw on Navy-wide intellectual and informational resources
in richly personal ways that make a difference in real operational
events. Often, new “communities” of practice arise. Sometimes we have
consciously facilitated this new organizational behavior, but most
frequently the people themselves see the new power and reach for it
themselves. Sometimes, we do not even notice at first glance.
This “many-to-many” system is inherently non-linear. I venture to
say that because the possible networked combinations are so incredibly
numerous, it is exponentially non-linear. My Directorate has been
spurred by our IT-21 experience and a concurrent need for models and
metrics that will show how new IT network investments achieve discrete
operational outcomes. We continue to work hard on this, but we are
convinced that the fundamental transformation happening here has raised
the degree of analytic difficulty by an order of magnitude or more.
Highly discrete analytic metrics may not reveal themselves until we move
further with this transformational shift. We are keeping up the press,
and in the meantime, our best and most convincing evidence of value are
the clear operational results--highlighted by my examples--that simply
could not happen without our new networking investments.
The dawn of the Information Age is truly a remarkable
time. In society at large, we expect the ride to continue, fueled by
both economic and social imperatives. Alan Greenspan and other experts
have described this transformation as “creative destruction,” where the
old systemic order is pushed out by a new and better order on a whole
new level. For Navy, our imperatives are strategic, operational, and
tactical in the ways I have already described to you. And to attain
this whole new level of combat performance and realize our full
Information Age potential, we must continue strong investment in our
entry fees. More than half of our afloat forces are awaiting our new
IT-21 networking capability. We have not yet realized our Navy-Marine
Corps Intranet, an effort to achieve the most efficient, effective, and
secure networked naval community we can. We have just begun to
adequately train our people to work in this environment, including how
to conduct network-based operations under security stresses. These are
things we must do. We have made a great start. Maintaining our pace
and gaining momentum now is our greatest imperative, ultimately leading
to our future--a Network Centric Force.
Thank you very much for the opportunity to comment.